RE: Spyware in Octave

[Labitt, Bruce]

-----Original Message-----
From: dbateman [mailto:address@hidden 
Sent: Wednesday, September 17, 2008 11:51 AM
To: address@hidden
Subject: RE: Spyware in Octave


Labitt, Bruce wrote:
> 
> I ran the version of sed.exe that installs in c:\Program
> Files\Octave\bin on the scanner below and came up with one of the AV
> programs indicating it was suspicious.
> 
> VirSCAN.org Scanned Report :
> Scanned time   : 2008/09/17 09:43:30 (EDT)
> Scanner results: 3% Scanner(1/36) found malware!
> File Name      : sed.exe
> File Size      : 102400 byte
> File Type      : PE32 executable for MS Windows (console) Intel 80386
> 32-bit
> MD5            : df03c9fb9ebcbf8364cd8874583790b9
> SHA1           : 2b3eebc9994b595ef81a5d684fc87f62e6ba3247
> Online report  :
> http://virscan.org/report/0a85e2e2bb20e977f32ef16548e6393b.html
> 
> Scanner        Engine Ver      Sig Ver           Sig Date    Time
Scan
> result
> a-squared      4.0.0.14        2008.09.16        2008-09-16  1.54   -
> AhnLab V3      2008.09.17.02   2008.09.17        2008-09-17  0.94   -
> AntiVir        7.8.1.28        7.0.6.170         2008-09-17  2.29   -
> Arcavir        1.0.5           200809171009      2008-09-17  1.22   -
> 
> <snip>
> 
> Fortinet       2.81-3.113      9.560             2008-09-17  0.19
> Suspicious
> McAfee         5.3.00          5385              2008-09-16  1.86   -
> Microsoft      1.3903          2008.09.17        2008-09-17  4.54   -
> <snip>
> 

Ok then the fact that only one out of thirty six find it "suspicious" is
a
pretty good indication of a false positive on the part of your spyware
scanner. Note that the above scanner in fact runs all of the major
malware
scanners against the same binary, with up to date definition files, so
if a 
large percentage of these don't flag something you can safely ignore the
issue.



> sed.exe appears to be installed in two places.  The 100K file is in
the
> Octave\bin directory.  There is also another sed.exe that is installed
> in the Octave\mysys\bin directory which is only 47K.  Only the
> Octave\bin\sed.exe is flagged as being suspicious.
> 

Not sure why Michael included a second version. Perhaps he built his own
MSVC sed in octave/bin/sed.exe and the other one just happened to be
there,
built with mingw, when he installed msys. You'd have to ask Michael for
the
reason.

D.

[Labitt, Bruce]
===========================================================

I'm not that concerned.  It may be that the Fortinet report is a false
positive.  I'm just reporting my results to the list.  My company uses
McAfee, which has not found an issue.  

-Bruce